In this blog I want to demonstrate how adversaries create a custom password database to perform brute force attacks. The goal is to make users aware of why a password linked to someone’s identity, company or hobbies is not a good idea. With the help of CeWL and CUPP, an adversary can create a custom database easily. Credits to the authors are linked at the end of this post 🙂
Disclaimer: This technique is not new and is publicly available on the internet. This is used for educational purposes only. The city is purely fictional and created for security awareness demos only. No real systems or data are involved.
🕵️ OSINT & Reconnaissance
Adversaries perform social engineering. They collect information from different social media platforms such as LinkedIn, Instagram, X and Facebook to learn someone’s identity, behavior, hobbies and more.
🎯 Demonstration
For this blog I created a fictional website called Stadt Opfthal. Stadt Opfthal has its employee information such as email addresses and full names publicly available on the website.
With the help of CeWL I scraped all words from the website and saved them into a file called opfthal.txt.
After performing social engineering on the Gemeindeschreiber Dean Winchester I now know his hobbies and his private life. One of his hobbies is hiking. He also has a cat called Hugo 🐱. With this information we can now create a custom password database built around him. As you can see in the gif, we can also add the target’s partner’s name. This is not exhaustive. Adversaries can be creative.
The third gif shows how easy it is to create a Python script that generates a custom password database once someone figures out the password concept of an organization. For example:
Opfthal2025!
Opfthal2025$
Opfthal2026@
The pattern is simple. The first letter is capitalized. Opfthal is the company name. 2025 is the current year because apparently users like to use it. And they love special characters like $, ! or @ 😅. We have now finally created a custom database for Dean Winchester and even added the organization’s password concept on top.
💀 What can an adversary do now?
From here the adversary can brute force the account of Dean Winchester. Ah, you think he is not a juicy target because he has low privileges? He is only the Gemeindeschreiber after all?
Think again.
Once an adversary gets a foothold on Dean Winchester’s account, they can send a phishing email internally. Employees trust internal senders. One click, credentials entered, and the attack spreads 🌐. I will cover this in a future blog post.
🔐 What should users do?
Regardless of the technical measures an organization can take, users are always a factor.
Activate MFA. Use a password manager. Participate in regular security awareness training.
Awareness training must be enforced throughout the organization, not treated as a once a year checkbox.
🛠️ Tools used
CeWL by Robin Wood
CUPP by Mebus
Thank you for reading 😊
— trex1e